PRA Dear CEO letter: 2024 Priorities for International Bank Supervision

On the 11th of January 2024, the Bank of England Prudential Regulation Authority (“PRA”) released a letter directed towards CEOs of international banks and designated investment firms in which the PRA’s 2024 priorities were outlined. The following is an overview of the PRA’s 2024 priorities:

Risk Management and Controls

The PRA has emphasized firms avoid viewing risk “in silos” by considering issues highlighted in their prior equity financing and fixed income financing letters. 

The PRA will continue to prioritise counterparty credit risk and secured financing risks in 2024, with emphasis on non-bank financial institutions. In essence, they are seeking to “gain assurance that firms’ overall risk management frameworks are evolving in line with the changing macro environment”.

Financial Resilience

Given the challenging risk environment and an uncertain future global macroeconomic outlook, firms’ credit portfolios are facing continued pressure. Thus, financial services firms are expected to ensure effective management of their financial resilience (e.g., maintain robust treasury management).

The PRA specifically warned firms to anticipate “ongoing heightened engagement with [the PRA] on counterparty and credit risk”. They reminded firms of the Basel 3.1 standards to be implemented on the 22nd of May 2024; firms should assess their existing regulatory framework and plan accordingly.

Operational Resilience

As per the supervisory statement 1/21, “firms should be able to demonstrate that they can remain within impact tolerances for all their important business services (IBS)” by March 2025. 

Branches are expected to have approaches that deliver similar outcomes. The PRA expects the firms’ operational resilience programmes to include:

• Clear identification and remediation plans for vulnerabilities to their IBS delivery,
• Identification of resources needed for IBS,
• Running severe, yet plausible, scenario testing (including but not limited to cyber-related disruptions), and
• Board and senior management oversight.

In line with their supervisory statement 2/21, risks associated with third party providers should also be appropriately mitigated and the PRA should be notified of any material arrangements. 

Vulnerabilities associated with outsourcing and third-party providers must be considered within the operational resilience programme as well.

Data Risk

The PRA reiterated that the “foundation of effective supervision is the submission of complete, timely, and accurate regulatory returns”. They continue to identify deficiencies in the controls over data, governance, systems, and production controls related to regulatory reporting. As such, skilled person reviews will continue to be utilised in 2024.

As highlighted by the PRA, “a common theme that underpins this year’s priorities is the need for robust governance, risk management and controls”. They are encouraging Boards and Executives to “continuously challenge themselves to ensure they have appropriate structures, processes, capabilities and information in place”.